from the good-luck-with-that,-mate dept

Oh boy. It's no secret that the Australian government -- led by George Brandis (who has made it abundantly clear he has no clue what a VPN is or what metadata is) -- is pushing strongly for mandated backdoors to encryption. At this point, it's beating a dead horse, but this is a very, very bad idea for a whole host of reasons -- mainly having to do with making absolutely everyone significantly less safe.

And it appears that Brandis' ignorance has moved up the chain of command. Australian Prime Minister Malcolm Turnbull has now put out what may be the single dumbest statement on encryption yet (and that's a pretty high bar). After being told yet again that safe encryption backdoors violate basic mathematics, Turnbull became super patriotic about the ability of Australian law to trump mathematics:

"The laws of Australia prevail in Australia, I can assure you of that," he said on Friday. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

And, then he pulled out the "nerd harder, nerds" argument:

"I'm not a cryptographer, but what we are seeking to do is to secure their assistance," Turnbull said. "They have to face up to their responsibility. They can't just, you know, wash their hands of it and say it's got nothing to do with them."

"I am sure they know morally they should. Morally they should."

So after admitting that he doesn't understand how this works, he's saying that the "moral" responsibility of cryptographers -- who have basically all told him his plan will make people less safe -- is to make people less safe.

Turnbull seems to think he can get around the whole problem by... semantics. You see, if we just redefine things and say we're not asking for "backdoors" then it's fine:

"A back door is typically a flaw in a software program that perhaps the -- you know, the developer of the software program is not aware of and that somebody who knows about it can exploit," he said. "And, you know, if there are flaws in software programs, obviously, that's why you get updates on your phone and your computer all the time."

"So we're not talking about that. We're talking about lawful access."

That bit of word salad suggests that at least a tiny smidgen of actual knowledge made it into his brain. A backdoor is an exploit. But "lawful access" is a backdoor. Pretending they are different suggests a fairly staggering level of ignorance.

Asked how Australia's proposed regime would allow local authorities to read messages sent with either WhatsApp or Signal, Brandis said “Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.”

Right. It's pretty well known that intelligence communities can frequently hack into things to get messages, but not because of backdoors to encryption but through other flaws. This includes things like keyloggers or other spyware that effective route around the encryption. But that's entirely different than demanding backdoors. And, of course, this all comes about a week after GCHQ's own former boss argued that attacking the end points was a better strategy than backdoors. It's almost certain that what GCHQ told Brandis is that they can be pretty successful in attacking those endpoints, without undermining encryption -- and that message got twisted in Brandis' mind to believe that it meant that there were already backdoors in Whatsapp and Signal (there are not).

This whole thing is a somewhat tragic comedy of errors with completely clueless politicians making policy badly, potentially putting everyone at risk... while astoundingly claiming that laws can trump basic mathematics. What a joke.

from the putting-an-end-to-the-end-to-end-debate dept

When he was head of GCHQ, Robert Hannigan said some pretty clueless things about the Internet and encryption. For example, in 2014, he accused tech companies of 'facilitating murder', and joined in the general demonization of strong crypto. Last year, he called for technical experts to work more closely with governments to come up with some unspecified way around encryption. Nobody really knew what he meant when he said:

"I am not in favor of banning encryption. Nor am I asking for mandatory back doors. … Not everything is a back door, still less a door which can be exploited outside a legal framework."

"You can't uninvent end-to-end encryption, which is the thing that has particularly annoyed people, and rightly, in recent months. You can't just do away it, you can't legislate it away. The best that you can do with end-to-end encryption is work with the companies in a cooperative way, to find ways around it frankly."

He emphasized that backdoors are not the answer:

"I absolutely don't advocate that. Building in backdoors is a threat to everybody, and it's not a good idea to weaken security for everybody in order to tackle a minority."

So what is the solution? This:

"It's cooperation to target the people who are using it. So obviously the way around encryption is to get to the end point -- a smartphone, or a laptop -- that somebody who is abusing encryption is using. That's the way to do it."

As Techdirt reported earlier this year, this is very much the approach advocated by top security experts Bruce Schneier and Orin Kerr. They published a paper describing ways to circumvent even the strongest encryption. It seems that Hannigan has got the message that methods other than crypto backdoors exist, some of which require cooperation from tech companies, which may or may not be forthcoming. It's a pity that he's no longer head of GCHQ -- he left for "personal reasons" at the beginning of this year. But maybe that has given him a new freedom to speak out against stupid approaches. We just need to hope the UK government still listens to him.

The list of new powers doesn't end with these. UK intelligence agencies are also given permission to perform "electronic interference" -- hack into computers and electronic devices belonging to UK citizens, not just individually, but in bulk. It also codifies secret (and illegal) surveillance of UK citizens that the country's intelligence agencies have engaged in for years without proper authority or oversight.

The government, of course, is trying to portray this as nothing more than a fine tuning of preexisting laws, specifically the Regulation of Investigatory Powers Act (RIPA). Glossed over in its perfunctory "nothing to see here" explanation is the fact that RIPA was also rushed into existence to codify other secret and illegal surveillance programs.

But it's no ordinary update of existing investigatory laws. Jim Killock of the Open Rights Group calls the Snooper's Charter "the most extreme surveillance law ever passed in a democracy." Thanks to the new powers, UK intelligence agencies should be able to put together very extensive dossiers on pretty much anyone they feel like.

This is the collection of Internet Connection Records (ICRs)—a record of which services every citizen it is connecting to, logged in real-time. This unprecedented level of micro-surveillance is accompanied by a machine to make sense of the mass of data, called a ‘Filter’, but is in essence, a search engine. It can match these ICRs with your mobile phone location data and call histories. It can, we believe, be used to profile the social relationships and the sexual and political activities of every U.K. citizen.

Beyond the expansion of law enforcement and surveillance powers is the precedent set by the government in its continual codification of secret surveillance programs. Like RIPA before it, the new law sends a message to intelligence and law enforcement agencies that all misdeeds will ultimately be legislatively forgiven by their overseers. Agencies are implicitly invited to hide programs from overseers and explore new collection techniques without running it past anyone else in the government first. And years later, it will all be papered over by "updated laws."

This is also good news for other Five Eyes surveillance partners. The NSA and GCHQ's information sharing partnership means the US agency now has access to even more data on British citizens. Almost anything GCHQ can acquire, the NSA can access. And now GCHQ can access more than ever.

from the build-a-better-data-scoop-and-the-world's-government-will-beat-a-path-to-you dept

Dozens of internal documents and emails from Endace, obtained by The Intercept and reported in cooperation with Television New Zealand, reveal the firm’s key role helping governments across the world harvest vast amounts of information on people’s private emails, online chats, social media conversations, and internet browsing histories.

Endace -- like almost every other company in the literal spyware business -- also seems willing to sell to the highest bidder, no matter where they sit on their home nation's friends/enemies lists.

The leaked files, which were provided by a source through SecureDrop, show that Endace listed a Moroccan security agency implicated in torture as one of its customers. They also indicate that the company sold its surveillance gear to more than half a dozen other government agencies, including in the United States, Israel, Denmark, Australia, Canada, Spain, and India.

The documents now in The Intercept's hands detail Endace's work for GCHQ, assisting it in its quest to pull as much data and communications as it can from underseas cables which conveniently route about one-fourth of the world's internet traffic into the waiting arms of the spy agency. These leaked documents were cross-referenced with The Intercept's Snowden stash to confirm their legitimacy.

The documents show GCHQ asked Endace for several modifications of the stock product it originally presented to the agency. These alterations served one purpose: to build haystacks faster.

A November 2010 company document said that “FGA” ["friendly government agency"] had an order of 20 systems scheduled for delivery in March 2011. Each system was equipped with two “data acquisition” cards capable of intercepting 20Gs of internet traffic. The total capacity of the order would enable GCHQ to monitor a massive amount of data — the equivalent of being able to download 3,750 high-definition movies every minute, or 2.5 billion average-sized emails an hour.

Other info in the documents shows Endace and GCHQ were (are?) aiming for deployment of 300-500 of these systems, allowing the agency to pull in a large percentage of the traffic traveling through tapped underseas cables. There are also hints that suggest some data is more useful to the GCHQ than others, with WhatsApp, Facebook, Gmail, and Hotmail being specifically named. Also of importance to GCHQ: the ability to track targets by MAC address.

When Endace isn't selling to "friendly" government surveillance agencies (and "friendly" governments with decades of human rights abuses under their belts), it's also selling its interception technology to telcos to better assist them in complying with law enforcement requests.

Perhaps the most darkly comic aspect of all of this is that UK and New Zealand taxpayers are likely being double-dipped for surveillance efforts that encompass their own data and communications. Not only are they paying for the tech and ongoing collection efforts, but Endace was also awarded $11.1 million in government grants to defray 50% of the cost of "substantial product developments." Endace isn't saying which products were developed using these grants, and the New Zealand government says the company isn't obligated to reveal how this money was spent.

from the 17-years-of-bulk-rogering dept

The ruling said the regime governing the collection of bulk communications data – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.

It said the holding of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.

This ruling comes at a particularly opportune time -- just as the UK government is putting the finishing touches on another investigatory powers bill: the so-called Snooper's Charter. But not necessarily because this will deter GCHQ from further bulk data collections. In fact, the ruling may give pro-surveillance politicians a better idea of how to make future collections stand up to legal challenges.

On the other hand, the tribunal's examination of the case uncovered some interesting statements by agency insiders who rather presciently noted the press would have a field day if information about the programs were ever made public. (The statement also shows the agency was prepared to head off backlash by questioning the media's truthiness.)

The IPT ruling included the disclosure from an unpublished 2010 MI5 policy statement that the “bulk personal datasets” include material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it says.

The ruling is the end result of Privacy International's multiple legal challenges to British spying powers. Even though this is a win for PI, the charity also notes that no ruling was made on how the illegally-obtained datasets should be disposed of… or if they even will be.

The UK government responded to the ruling showing it had "overseen" more than a decade's-worth of illegal data collection with a cheerily tone deaf, "Things are so much better now!"

"The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.

Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies."

It's not the stuff that's gone on for years. That's apparently not important. No, UK citizens need to keep their eyes on the prize: the ten months or so of legal spying UK intelligence agencies have been engaged in, as well as the eventual codification of other possibly-illegal surveillance programs.

from the oh,-that's-OK,-then dept

The idea behind smart meters -- that detailed information about how you consume electricity will allow you to use power more efficiently and thus cut your bills and your home's carbon emissions -- is a good one in theory. And yet smart meters are still not used very widely, even in countries like the UK, where the government has a strategy to install millions of them by 2020. Actually, the likely savings by users are small, but smart meters also promise to allow the electricity industry to lower salary costs by carrying out meter readings remotely, which is one reason why it is so keen on the idea. Another is because smart meters make it is easy to cut off someone's supply if they don't pay their bills.

The slow uptake of smart meters seems in part to be due to public concerns about security. People are worried that their smart meter will spy on them, sending back information to electricity companies that might be intercepted and used for targeted burglary when they are away. Similarly, there are fears that if the smart meter control system were compromised, domestic electricity supplies might be at risk on a large scale.

One of UK Parliament's most important committees, the one monitoring science and technology, has just published a report into the UK smart meter roll-out, offering recommendations for ways to speed it up. Security is an issue it discusses, and one of the committee's recommendations is as follows:

We recommend that the Government consider further how to communicate the level of thought that has gone into designing a secure system for smart metering

More about that "level of thought" is found in an appendix to the report, which contains the UK government's evidence on this topic, including the following statement:

The Department of Energy and Climate Change (DECC) has worked with GCHQ since the very early design stage of the rollout, when the programme was initiated. The engagement with GCHQ has been one of partnership, issue discussion and resolution.

We hope that this article has explained the thinking behind the design of the Smart Metering System. DECC, with support from GCHQ (part of which will be become the National Cyber Security Centre) has security right at the top of the list of things it cares about. Of course, no system is completely secure, and nothing is invulnerable. However, we’re confident that the Smart Metering System strikes the best balance between security and business needs, whilst meeting broader policy and national security objectives.

It's interesting that the post mentions national security objectives. As Techdirt has reported, one of the worst features of the UK's Investigatory Powers Bill that is currently wending it way through Parliament is that it creates a legal framework to allow GCHQ and the other intelligence agencies to hack into any kind of equipment in order to carry out surveillance. Of course, that's really rather easy when you were the one who designed its security systems.

from the well,-that's-just-dandy dept

Generally speaking, taking cues from China on things like best ways to censor the internet... probably isn't the best idea. Yet, it appears that's exactly what the UK's big surveillance agency, GCHQ is doing. The "Director-General of Cyber" (that's a thing? yikes!) at GCHQ, Ciaran Martin, gave a speech at a cybersecurity summit in DC recently and announced exciting plans to censor the UK internet at a DNS level. No, really.

Finally, we're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses? Now it's crucial that all of these economy-wide initiatives are private sector led. The Government does not own or operate the Internet. Consumers must have a choice. Any DNS filtering would have to be opt out based. So addressing privacy concerns and citizen choice is hardwired into our programme.

Of course, while the reasoning and sentiment may sound good, we've pointed out time and time again how DNS filtering, in particular is a really bad idea that actually does more harm than good for internet security. The internet works under the expectation that when you put in an address, the DNS system returns with info from the proper server.

And, of course, once you start mucking with the DNS system for filtering out stuff that you consider to be "malware" or "bad addresses" you open it up to much worse. You also end up validating China's Great Firewall, since China just responds that their use of DNS filtering is also used to block "bad addresses." It's just that they have a different interpretation of what's "bad."

The documents confirm that a little-known policing body called the Scottish Recording Centre (SRC) was given access to information logs that includes millions of communications data including phone activity, internet histories, and social media behaviour on Facebook.

The confirmation that UK state spy agency GCHQ ran a specific programmed, called “MILKWHITE”, to share data with devolved policing and tax authorities is the first Snowden leak to directly implicate Scottish authorities in the controversial policy of ‘bulk data’ collection.

And just like that, the "obscure Scotland-based surveillance unit" is no longer obscure. It's safe to say most of Scotland's citizens were unaware of its existence until the latest revelations. While there's probably only been a small bump in general public awareness, it has mobilized activists and given them the ammo they need to question their representatives.

Richard Haley, chair of human rights group Scotland Against Criminalising Communities, has said that the SRC raises “very serious questions”.

Haley asked: “The Scottish Recording Centre might be unknown to most of us, but the Scottish Government must be familiar with it because of its role in legally authorised interception. Did the Scottish Government know of its involvement in MILKWHITE? If not, why not? And if they did, why didn't they sound the alarm? And for that matter, what is the Scottish Recording Centre? A real set of offices and computers, or just an organisational concept?”

Haley and others are seeking answers. They likely won't be getting them any time soon. The Police Service of Scotland -- which partakes of the SRC data haul -- says it won't discuss "intelligence matters." GCHQ added its own boilerplate in response, stating it also won't discuss "intelligence matters," and that everything it does is subject to multiple legal authorities and strict oversight: two claims leaked documents keep refuting.

Those claims are even refuted within this article about the leaked documents. Michael Gray of CommonSpace points out that the Police Service of Scotland previously spied on communications between journalists in violation of the law. The service has also been linked to targeting of political activists -- none of which sounds particularly "lawful," much less "authorised, necessary, and appropriate," to borrow a phrase from GCHQ's non-comment.

from the so...-what-do-you-spies-think-we-should-do-about-all-this-spying? dept

New documents obtained by Privacy International as a result of its ongoing litigation over GCHQ bulk surveillance shows (yet again) there's really no such thing as "oversight" when it comes to spying. Owen Bowcott of The Guardian highlights conversations between GCHQ and its supposed oversight, in which the former talks the latter out of applying more restrictive guidelines from updated laws to its massive data intake. (Unfortunately, Bowcott discusses the documents but does not link to them, and I have been unable to locate these at Privacy International's website.Found 'em.)

The letters were sent by Home Office legal advisers, GCHQ and Sir Swinton Thomas, who was the interception of communications commissioner. The organisation is now called the Interception of Communications Commissioner’s Office (IOCCO).

In May 2004, a Home Office legal adviser wrote to Thomas backing an MI5 proposal that collecting bulk data from communication service providers for its “database project” be authorised under section 94 of the 1984 Telecommunications Act because, at that stage, there were no human rights implications or breach of privacy concerns. Using that act would not require a notice to be put before parliament because it could be used secretively on the grounds that “disclosure of the direction would be against the interests of national security”.

Thomas briefly tried to act as an overseer, suggesting the GCHQ would be on firmer legal footing if it applied a more-updated law to its collection practices: the Regulatory of Investigatory Powers Act of 2000. Because this newer law contained more procedural safeguards and additional transparency requirements, GCHQ was obviously uninterested in applying this to its bulk collections.

The UK Home Office got involved at this point, claiming the newer law was not really a law at all, but collated stack of suggestions.

The Home Office responded, saying that, although Ripa might be engaged, it did not think that meant it must be used. The letter continued: “The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month … involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act].”

Yeah, why bother periodically reassessing "necessity and proportionality" of orders when you can issue one order and have it apply indefinitely? GCHQ also expressed its concern about using the new law, saying it wanted to keep all of its collections in one big pile, even if that meant intermingling minimized and unminimized data.

Its oversight reluctantly agreed.

Thomas backed down, replying that, “on reconsideration”, use of Ripa was not mandatory. He added: “I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database procedures.”

And, just like that, any protections UK citizens might have gained from the 2000 version of RIPA were waved away in the interest of bulk collection convenience. This conversation every appearance of someone raising an issue in hopes of being talked out of it and expressing relief when this was accomplished. For UK citizens, this meant that GCHQ could collect both minimized data (anonymized by stripping of identifying info) and unminimized data and mix it all together in its storage, thereby nullifying the protective minimization methods.

It is, as Privacy International states, a "total failure" of oversight. There's no evidence that the Home Office or the IOCCO ever acted in an adversarial fashion. Both appear to have cut GCHQ as much slack as it needed to avoid having to adhere to an updated law written explicitly to regulate investigatory powers. Instead, they both allowed GCHQ to avail itself of lower legal requirements by applying a 20-year-old law -- one that could not have possibly anticipated the exponential surveillance growth in the intervening years -- to its post-2001 bulk surveillance.

from the you-look-foolish dept

For all the idiotic things said about Ed Snowden, at least US bureaucrats appear to have come around to the idea that he helped kick off a necessary debate on surveillance powers and privacy. Just recently we had former Attorney General Eric Holder admit that Snowden "performed a public service by raising the debate." And regular surveillance apologist and former Defense Department lawyer Jack Goldsmith just said that "Snowden forced the intelligence community out of its suboptimal and unsustainable obsession with secrecy."

It appears that some of their counterparts in the UK are still in denial about all of this. GCHQ's boss Robert Hannigan, whose currently on a PR charm offensive (or should that be just offensive PR?) insists that Snowden has nothing to do with the ongoing debate, which he says was happening prior to Snowden leaking documents:

No, Edward Snowden had not sparked a global debate about privacy - that had been under way already - but terrorist targets GCHQ had been tracking had learned from his revelations with heavens knows what consequences, he said.

This is delusional, and calls into question whether or not the GCHQ has management that lives in reality or in a fantasy land. As someone who has followed this issue since well before the Snowden leaks, to argue that the debate was happening in any real way prior to them being splashed across the press is a flat out lie. You can disagree with what Snowden did -- as Hannigan clearly does. But to argue that the revelations did not spark the debate is clearly wrong.

As for the latter part of Hannigan's claim, that terrorists learned stuff from the Snowden documents that created "heaven knows what consequences," that's a load of bunk also. Actual studies showed basically no change in behavior by terrorists post-Snowden, as many already assumed that their basic communications were being tracked. And no one has yet to demonstrate any legitimate consequences from his revelations other than forcing people like Hannigan to have to answer questions about why the GCHQ and NSA seem to be spying on tons of people.

If this new PR campaign is about rebuilding trust in the GCHQ, Hannigan might want to recognize that spewing pure bullshit doesn't make people trust him more. It makes them trust him a lot less.